Android phones with NFC can be hijacked via their own browser

New research by security specialists Accuvant has revealed at this year's Black Hat conference that the latest smartphones running Android, and equipped with Near Field Communications (NFC) capabilities, can be hijacked using malicious code loaded via the devices' web browser.

While the NFC protocol remains uncompromised and therefore as safe as ever, Charlie Miller, a principal researcher at the security firm noted that the way in which Android’s Beam software uses NFC is the real cause for concern, as it allows the handset's NFC chip to automatically access its web browser.

This opens the software to almost any kind of malicious browser-based attack via NFC. Criminals could create their own NFC stickers and place them on top of legitimate ones, which when swiped would send code to the NFC-enabled device and exploit the vulnerability using the web browser.

“What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,” said Miller. “So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC.”

The seriousness of the exploit is heightened by the fact NFC and Android Beam are usually enabled by default in handsets running Android ICS. Even more alarming is that Android Beam automatically downloads any file or web link sent through the service without giving its owner a way of selectively accepting or refusing transfers.

Miller's research also revealed that other NFC-equipped handsets running MeeGo, such as Nokia’s N9, also suffer with the same flaw. However, the larger concern is the number of Android handsets with NFC available, and that includes some of the most popular smartphones, such as Samsung’s Galaxy SIII, the Galaxy Nexus, Sony’s Xperia S and HTC’s One X, among others.